Saturday, October 29, 2011

Researchers Unveil Flaws in Skype

It's so easy that a child could uncover personally identifiable information of millions upon millions of Internet phone users, if the child is a sophisticated, high-school-age hacker.

That's how researchers from the Polytechnic Institute of New York University describe an easily exploitable flaw in Skype and other IP-based phone systems that could potentially disclose the identifies, locations and digital files of hundreds of millions of users, according to a new paper, "I Know Where You are and What You are Sharing."

A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user and use the information for purposes of stalking, blackmail or fraud.

"A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud," Keith Ross, an NYU-Poly computer science professor who headed the research team, says in a statement issued by the school.

The flaw, for instance, could allow marketers to link effortlessly information such as name, age, address, profession and employer from social media sites such as Facebook and Linkedin in order to build inexpensive profiles, costing them pennies for each individual profile, a bargain.

Though researchers studied only Skype, they say their findings also apply to other IP-based phone systems. Their findings will be presented next month at the Internet Measurement Conference 2011 in Berlin.

Using commercial geo-location mapping services, researchers found they could construct a detailed account of a user's daily activities even if the user had not turned on Skype for 72 hours. Skype and its new owner Microsoft were informed of the researchers' findings. Skype's response wasn't clear on specific steps it has taken to address the vulnerabilities the researchers discovered.

The researchers, however, contend there's a fairly straightforward and inexpensive fix to prevent hackers from taking the critical first step in this security breach, that of obtaining users' IP addresses through inconspicuous calling. By redesigning the Skype protocol, a user's IP address would never be revealed unless the call is accepted. That, researchers say, would offer substantially greater privacy.